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Although a modest acquisition, Qualys’ first-ever technology deal likely indicates greater ambitions beyond the end- 
point in hybrid IT management linked to vulnerability and risk remediation and control. 
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Qualys has announced the acquisition of certain assets of Nevis Networks in a deal that provides the 
company with solid passive-scanning techniques linked to endpoint security, as well as a springboard 
that it publicly acknowledges will accelerate its move into the adjacent markets of endpoint exposure 
mitigation and security response. Although a modest transaction, this marks Qualys’ first-ever technol- 
ogy purchase and indicates greater ambitions beyond the endpoint in hybrid IT management linked to 
vulnerability and risk remediation and control. 


THE 451 TAKE 


On its face, this deal is modest: the assets of a small company acquired primarily for its IP and engineer- 
ing expertise. But its implications are more far-reaching. For one thing, aside from the pickup of Nemean 
Networks and its research team in 2010, this is arguably Qualys’ first-ever technology acquisition - and it 
signals more to come. Qualys is a pioneer in SaaS delivery of security technology, which has served it well in 
vulnerability management. The company sees that vantage point as an opportunity to tackle what enterprise 
IT - and enterprise security - is becoming and will become. While this transaction targets the endpoint - a hot 
enough space as it is - the focus is on endpoint compliance, which in turn has implications for vulnerability 
remediation. This means more direct interaction with - and control over - a broader spectrum of IT, which will 
take Qualys into more direct competition with a wider range of contenders in both security and hybrid IT man- 
agement. These ambitions likely do not stop at the endpoint, as indicated by Qualys’ announcements during 
Black Hat week of new capabilities for cloud platforms and certificate management. For those who follow the 
company - and note the significance of its ‘first’ deal - things could get interesting before long. 


DEAL DETAILS 


Terms of the all-cash transaction were not disclosed, but Qualys indicates that it will not be material to its financial perfor- 
mance, which places the focus on Nevis’ technology and people. While an asset acquisition, the focus is as much on the 
target's engineering team as it is on its IP. Nevis is based in Pune, India, where Qualys maintains its own operations. 


While Qualys will continue to support existing Nevis customers and sell its products and services in India, it will incorpo- 
rate Nevis’ engineering team into its Pune organization, which is expected to infuse Qualys’ portfolio of SaaS technology 
and cloud-delivered services with technology as well as insight into visibility and control of enterprise LANs and end- 
points. In so far as appliances contribute to Nevis’ portfolio, those will be handled according to Qualys’ model of remote 
management and ‘self-updating’ functionality to minimize customer impact. 


DEAL RATIONALE 


With a well-established footprint in vulnerability management and one of security's original SaaS plays, Qualys is look- 
ing to enter new frontiers in the evolution of IT and information security. Over the past few weeks, the company has 
announced several new initiatives, including its CloudView offering for inventory and assessment of public cloud environ- 
ments, and its CertView product for managing SSL/TLS certificates. 


It's therefore not surprising that the company sees opportunities in endpoint security that closely align with its core val- 
ues. Endpoint security is one of today’s most active areas of infosec, where new disruptors as well as established incum- 
bents are actively (and sometimes aggressively) challenging each other for the place in the enterprise - and in enterprise 
budgets - traditionally held by antivirus and legacy endpoint security. 


Qualys has long had a strong position in visibility into vulnerability and risk exposure across diverse IT environments. 
With the addition of Nevis’ assets, the company now has enhanced visibility into endpoints and the distributed enterprise 
network, as well as a new footprint for endpoint control. In the press release announcing the deal, Qualys chairman and 
CEO Philippe Courtot alluded to the leg up this move gives the company for moving even further into endpoint security, 
building anticipation for the next steps in its strategy for tackling endpoint remediation and response as well. 
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ACQUIRER PROFILE 


Founded in 1999, Redwood City, California-based Qualys is one of the pioneers of SaaS-delivered security technol- 
ogy, capitalizing from its outset on the scalability of a platform that centralizes vulnerability, assets, requirements 
and policy intelligence and management for thousands of customers worldwide. The company claims over 9,300 
customers in more than 120 countries, including 60% of the Forbes Global 50. Courtot has led Qualys from the 
outset, with technology currently under the leadership of chief product officer Sumedh Thakar and chief com- 
mercial officer Amer Deeba. 


The company’s offering is centered on the Qualys Cloud Platform, a SaaS model that capitalizes on the central- 
ized scalability and performance of cloud technologies for providing vulnerability and security assessment and 
visibility across a diverse IT terrain. According to Qualys data, each year the platform supports over three billion IP 
scans, collects more than 28 billion data points and reports one trillion-plus security events. In addition to broad 
support for several traditional IT, on-premises technologies and Web application security, the platform also offers 
compatibility with AWS, Microsoft Azure and Google Cloud Platform, and provides strategies for objectives from 
compliance to security integration with DevOps initiatives. 


TARGET PROFILE 


Founded in 2003 as an early contender in the network access control market, Nevis Networks underwent reorgani- 
zation and since 2009 its assets have been owned by Aviram Networks. The company was founded by the late Ajit 
Shelat, a serial entrepreneur who had previously sold SwitchOn Networks to PMC-Sierra for $450m. Radha Shelat 
is currently CEO, with Raghu lyer and Ravi Dara serving as CTO and VP of engineering, respectively. Nevis has ap- 
proximately 20 paying customers, primarily in India, but Qualys expects to take its technology and insights more 
widely to its worldwide customer base. 


The company’s technology is focused on monitoring and enforcement of network access consistent with an orga- 
nization’s identity, device configuration and software requirements, with a line of appliances that emphasize LAN 
security and out-of-band deployment that minimizes the impact on network performance while ensuring en- 
forcement when required. Nevis’ technology further monitors traffic for evidence of malware based on intrusion- 
prevention and anomaly-detection capabilities. Its LANsight management platform provides event monitoring 
and correlation of network events with user identity. Nevis offers a cloud-based endpoint compliance service that 
aligns with the Qualys model, reporting on policy compliance throughout an organization, as well as providing 
automated remediation of OS patch levels and endpoint security software updates. 


COMPETITION AND OUTLOOK 


Several of today’s IT and security trends already play to Qualys’ strengths. As a pioneer of SaaS delivery in secu- 
rity, Qualys is well positioned for visibility across other SaaS, cloud and hosted offerings, in addition to its long- 
established role in managing vulnerabilities and compliance for traditional IT and web applications. The ease of 
integration of a SaaS model with other tools lends itself to initiatives for monitoring and ensuring security for 
other hosted or cloud-based technologies, which suggests that Qualys may well be on a course that will take it 
into more directly competitive territory against other security leaders focused on the cloud, including Symantec 
and Cisco, particularly since their acquisitions of Blue Coat and OpenDNS, respectively. 


Looking a bit further down the road, this also suggests that Qualys may become more directly engaged in con- 
solidating security management for infrastructure-as-a-service platforms that lend themselves to API-driven 
techniques for inventory, assessment and management. As noted, Qualys already offers support for AWS, Google 
Cloud Platform and Microsoft Azure, and has developed a strategy for DevOps support, which we would expect to 
expand as security management strategies for hybrid environments continue to mature. 

However, this specific deal is centered on the endpoint - another hot area for security at present, primarily in the 
arena of threat defense. Qualys’ play with Nevis is in endpoint policy compliance and insurance - and that puts 
vulnerability remediation in view. 
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This takes Qualys into provocative new territory, which suggests potential further positioning against an even 
greater variety of rivals. Initially, that list would range from ServiceNow’s growing slate of security partners, but it 
could also come to include a host of firms focused on IT infrastructure management, particularly for software and 
patch management (and by extension, potentially secure software development, deployment and management 
in DevOps pipelines). The linkage between process and technology in this realm could conceivably also lead Qual- 
ys in the direction of security automation and orchestration suggestive of FireEye’s pickup of Invotas’ orchestration 
capabilities, Microsoft's more recent reach for Hexadite and - closer to home - Rapid7’s acquisition of Komand. 


Whatever its direction turns out to be, these potentialities make Qualys a much more interesting player to watch 
going forward as digital transformation wields its impact on security and compliance as thoroughly as it does on 
others aspects of enterprise technology - and opens doors for one of security's cloud pioneers. 


ACQUIRER 
Qualys 


TARGET 
Nevis Networks (assets) 


SUBSECTOR 


Security 


DEAL VALUE 
Undisclosed 


DATE ANNOUNCED 
August 1, 2017 


EXPECTED CLOSING DATE, EXPECTED 
Q3 2017 
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